RE: Adobe Reader 7
by Fred New
On Mon 4/11/2005 6:25 PM, Daniel J Walsh wrote:
> Fred New wrote:
>
> > [fred@darth ~]$ /usr/local/Adobe/Acrobat7.0/bin/acroread
> > /usr/local/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread: error
> > while loading shared libraries:
> > /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so: cannot
> > restore segment prot after reloc: Permission denied
> > [fred@darth ~]$
> >
> Which policy are you running
> rpm -q -i selinux-policy-targeted
I am running the latest policy:
[fred@darth ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-1.23.9-1
[fred@darth ~]$
(I'm assuming you didn't really want the "-i" in "rpm -q -i ...".)
When I originally wrote a couple days ago, I was running the previous
policy, selinux-policy-targeted-1.23.8-2. So I just now deleted the
/usr/local/Adobe directory and re-installed it - same results.
And "restorecon /usr/local/Adobe" doesn't change anything either.
I noticed when I installed selinux-policy-targeted-1.23.9-1
that the context for the Adobe Reader Firefox plugin,
/usr/lib/firefox-1.0.2/plugins/nppdf.so, changed from
lib_t to shlib_t. Everything in /usr/local/Adobe is still usr_t.
Fred
19 years
Can somebody help me?
by Hongwei Li
Hi,
I just found that my fc3 system log shows many, many entries like below:
Apr 5 14:50:42 morpheus kernel: audit(1112730642.889:0): avc: denied {
ioctl } for pid=32509 exe=/usr/bin/perl path=/proc/loadavg dev=proc
ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:proc_t tclass=file
Apr 5 14:51:19 morpheus kernel: audit(1112730679.318:0): avc: denied {
ioctl } for pid=32579 exe=/usr/bin/perl path=/proc/loadavg dev=proc
ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:proc_t tclass=file
...
what does it mean? Although I haven't got real trouble in email service,
web service, squirrelmail, etc., I'd like to know if it means something
bad in the system and how to fix it.
Thanks a lot!
Hongwei Li
19 years
Adobe Reader 7
by Fred New
I have installed the beta Adobe Reader 7.0 on my Fedora Core 4 Test 1
system, targeted policy,
(ftp://ftp.adobe.com/pub/adobe/reader/unix/7x/7.0/enu/AdbeRdr70_linux_enu....)
and I had to make the following context changes in order to get it to
work:
find /usr/local/Adobe -exec chcon -t lib_t {} \;
find /usr/local/Adobe/Acrobat7.0/Reader/intellinux \
-type f -exec chcon -t shlib_t {} \;
find /usr/local/Adobe/Acrobat7.0/Browser/intellinux \
-type f -exec chcon -t shlib_t {} \;
Is this a correct and accepted way of dealing with this without
installing the policy sources?
Fred
19 years, 1 month
Policies for bastille?
by R. Jensen
I recently downloaded Bastille and was unable to get
the PSAD portion to install. [Bastille is trying to
install /usr/sbin/psad (among others)].
[root@lankhmar log]# ls -ldZ /usr/sbin
drwxr-xr-x root root system_u:object_r:sbin_t
So I would *expect* an SELinux error if the psad isn't of sbin_t.
[But I don't see any avc messages in the log.]
Here's a portion of Bastille's error log:
{Fri Mar 4 11:15:28 2005} Failed to place /psad as /usr/sbin/psad
{Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/psad doesn't exist!
{Fri Mar 4 11:15:28 2005} Failed to place /psadwatchd as
/usr/sbin/psadwatchd
{Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/psadwatchd
doesn't exist!
{Fri Mar 4 11:15:28 2005} Failed to place /kmsgsd as /usr/sbin/kmsgsd
{Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/kmsgsd doesn't
exist!
Does this look like an SELinux issue or just Bastille?
Richard.
19 years, 1 month
snmpd bug
by Farkas Levente
hi,
i'm just notice this bug in out firewall's log file:
-----------------------------------
Apr 7 17:50:23 portal kernel: audit(1112889023.021:0): avc: denied {
search } for pid=6409 exe=/usr/sbin/snmpd name=net dev=proc
ino=-268435351 scontext=user_u:system_r:snmpd_t
tcontext=system_u:object_r:sysctl_net_t tclass=dir
-----------------------------------
it seems snmpd try to do something which is not allowed:-)
yours.
--
Levente "Si vis pacem para bellum!"
19 years, 1 month
Error loading libsepol on during system boot
by W. Michael Petullo
I have been sitting on a problem for a few weeks, waiting to see if a
forthcoming policy package would fix it. I wanted to mention it on this
mailing list before entering it into Bugzilla because I am not convinced
it is not my fault.
When I try to boot my system with Fedora's strict policy, the process
stops with the following message:
... denied { execmem } for pid=1 comm=init scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process
/sbin/init: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Permission denied
kernel panic - not syncing: Attempted to kill init!
I am using:
SysVinit-2.85-37
selinux-policy-strict-1.23.6-3
libsepol-1.5.3-1
Has anyone else experienced this?
--
Mike
:wq
19 years, 1 month
Another Apache problem
by David Hampton
I noticed that I had "r_dir_file(httpd_t, httpdcontent)" in my
domains/misc/local.te file so I removed it. After I did this I started
getting avc errors for all web access to my server. Audit2allow says I
need:
allow httpd_t httpd_sys_content_t:dir { getattr search };
allow httpd_t httpd_sys_content_t:file { getattr read };
Poking through the policy sources, it appears that httpd_t no longer has
permission to read files with the httpdcontent attribute. Grep shows
only this one place where httpd_t gets permission to read the content...
./domains/program/apache.te:create_dir_file(httpd_t, httpdcontent)
...but this line is protected by what looks like a four way conditional
and doesn't appear to have any effect. Would it make sense to add
unconditional read access to httpd before checking/allowing write and
execute access on the files?
My system is an FC3 base running with Daniel Walsh's 1.23.6-1 strict
policy.
David
19 years, 1 month
New policy for razor
by David Hampton
This is a new strict policy for the razor spam filter. It is based on
the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy
requires the definition of a razor reserved port that was in the
net_contexts diff I sent last Wednesday. Please let me know if there
are any problems with or changes needed to this policy.
David
19 years, 1 month
Additions to net_contexts
by David Hampton
Here are some additions to net_contexts to define additional privileged
ports. I'll be submitting policies that reference these ports over the
next week or so as I get them cleaned up. This is based on the file
from the selinux-policy-strict-sources-1.22.1-2 rpm on my FC3 system.
David
19 years, 1 month
CGI permissions for targeted policy
by Ben
I have been having some problems with a CGI program, and audit2allow
shows I should add these permissions:
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_tmp_t:file getattr;
allow httpd_sys_script_t httpd_tmp_t:file read;
I'm pretty green at SELinux, so I'm not too sure what these allow. I
suspect that the last rule lets httpd_sys_script_t programs read files
of type httpd_tmp_t, and the second rule lets them stat() those files.
What does the first rule mean, exactly? The CGI program I'm trying to
run creates a random filename, and I expect this is related to that,
but there ends my speculation.
19 years, 1 month
